b'TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION\n\n\n\n\n                  Significant Improvements Have Been Made\n                     to Protect Sensitive Data on Laptop\n                         Computers and Other Portable\n                           Electronic Media Devices\n\n\n\n                                         August 31, 2009\n\n                              Reference Number: 2009-20-120\n\n\n\n\n This report has cleared the Treasury Inspector General for Tax Administration disclosure review process\n  and information determined to be restricted from public release has been redacted from this document.\n\n\n\n Phone Number | 202-622-6500\n Email Address | inquiries@tigta.treas.gov\n Web Site      | http://www.tigta.gov\n\x0c                                              DEPARTMENT OF THE TREASURY\n                                                    WASHINGTON, D.C. 20220\n\n\n\n\nTREASURY INSPECTOR GENERAL\n  FOR TAX ADMINISTRATION\n\n\n\n\n                                              August 31, 2009\n\n\n MEMORANDUM FOR CHIEF TECHNOLOGY OFFICER\n\n\n FROM:                  (for) Michael R. Phillips\n                              Deputy Inspector General for Audit\n\n SUBJECT:                    Final Audit Report \xe2\x80\x93 Significant Improvements Have Been Made to\n                             Protect Sensitive Data on Laptop Computers and Other Portable\n                             Electronic Media Devices (Audit # 200820025)\n\n This report presents the results of our review to follow up on a prior audit report1 and determine\n whether the Internal Revenue Service (IRS) is adequately protecting sensitive data on laptop\n computers and other portable electronic media devices. We also evaluated the controls over\n incident reporting and backup data. This audit was included in the Treasury Inspector General\n for Tax Administration Fiscal Year 2008 Annual Audit Plan and is part of our statutory\n requirement to annually review the adequacy and security of IRS technology.\n\n Impact on the Taxpayer\n The IRS annually processes more than 220 million tax returns containing personal financial\n information and personally identifiable information such as Social Security Numbers. While the\n IRS has made significant improvements to protect sensitive data on laptop computers and other\n portable electronic media devices, controls over incident reporting and backup data require\n additional improvements. As a result, taxpayers may not be notified when security incidents\n involving their personal data have occurred and taxpayer data may be at risk of theft and\n unauthorized disclosure.\n\n\n\n\n 1\n  The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other\n Portable Electronic Media Devices (Reference Number 2007-20-048, dated March 23, 2007).\n\x0c                               Significant Improvements Have Been Made to\n                              Protect Sensitive Data on Laptop Computers and\n                                  Other Portable Electronic Media Devices\n\n\n\nSynopsis\nThe IRS has effectively implemented encryption technologies on laptop computers and other\nportable storage devices. These systemic encryption solutions have strengthened the protection\nof taxpayer data and personally identifiable information and have reduced the chance of\nunauthorized disclosure of sensitive data when laptop computers and other portable electronic\nmedia are lost or stolen. The IRS has also taken actions to assist employees with securing laptop\ncomputers and sensitive data by purchasing cable locks for laptop computers, implementing a\ncomprehensive training strategy that instructs employees on the process for reporting lost or\nstolen items, and informing employees of their responsibilities for securing sensitive data.\nAlthough the IRS has made significant improvements relating to controls over electronic media\nand the protection of sensitive data, we identified two areas where continued diligence is needed.\nFirst, processes for tracking security incidents could be enhanced to ensure that all incidents are\nproperly handled. During our prior review, we identified inadequate coordination between the\nIRS Computer Security Incident Response Center2 and the Treasury Inspector General for Tax\nAdministration Office of Investigations3 to ensure proper reporting of security incidents. During\nthis review, the number of reported incidents known by both the Computer Security Incident\nResponse Center and the Office of Investigations had significantly increased to 96 percent of all\nrelated incidents, although we found incidents relating to hard copy losses that were not shared\nbetween both organizations. We believe all incidents should be reported in a timely manner and\nshared between all affected organizations. The timely reporting and sharing of incident\ninformation enables the IRS to continue to meet incident reporting time periods, fulfill taxpayer\nnotification requirements, and apply consistent disciplinary actions for employee negligence.\nSecond, the IRS needs to enforce controls for protecting backup data from unauthorized\ndisclosure and ensuring its availability in the event of a disaster. During our prior review, the\nIRS was not encrypting backup data that were sent to offsite storage facilities, was not\nperforming annual inventory validations of the backup data, and was not always performing\nperiodic reviews of the approved access list of employees authorized to access the offsite storage\nfacilities. During this review, we found that the IRS had revised its processes and procedures\nand no longer required field offices to send its backup data to offsite facilities. We confirmed\nthat the two field offices we visited had implemented the new procedures to transmit their\n\n2\n  The IRS Computer Security Incident Response Center is responsible for ensuring security incidents are reported to\nthe Treasury Computer Security Incident Response Center, which serves as the central point of contact for escalating\nincidents reported by its bureaus to the United States Computer Emergency Readiness Team, in compliance with\nstringent time periods, and for funneling incidents involving potential loss of personally identifiable information to\nthe IRS Office of Privacy, Information Protection, and Data Security for a determination of whether taxpayers must\nbe contacted regarding compromised data.\n3\n  The Office of Investigations is responsible for investigating all incidents to determine if employee negligence was\ninvolved and, if found, to provide a report to the IRS Human Capital Office.\n                                                                                                                    2\n\x0c                             Significant Improvements Have Been Made to\n                            Protect Sensitive Data on Laptop Computers and\n                                Other Portable Electronic Media Devices\n\n\nbackup data through the IRS secured network to an IRS Computing Center,4 where they were\nencrypted before being sent to an offsite storage facility.\nHowever, we visited one of the three IRS Computing Centers charged with controlling IRS\nbackup data and found that the annual inventory validation of the backup data at the offsite\nfacility was not conducted. In addition, the access list of IRS employees authorized to access the\ndata at the offsite facility had not been recently validated and 15 individuals who no longer had a\nbusiness need had access to the backup data. The IRS indicated these weaknesses were caused\nby management turnover and a lack of management oversight over backup procedures.\n\nRecommendations\nThe Chief Technology Officer should ensure that 1) the IRS collaborates with the Treasury\nInspector General for Tax Administration to revise the Memorandum of Understanding to ensure\nall incidents involving personally identifiable information in electronic or hard copy form are\nproperly reported and shared between the IRS Computer Security Incident Response Center and\nthe Treasury Inspector General for Tax Administration Office of Investigations, and 2) all\nbackup data are properly protected from unauthorized access and disclosure.\n\nResponse\nIRS management agreed with the recommendations. The IRS Computer Security Incident\nResponse Center will collaborate with the Treasury Inspector General for Tax Administration\nOffice of Investigations; the Office of Privacy, Information Protection, and Data Security; and\nthe IRS Office of Disclosure to revise the Memorandum of Understanding to better represent the\ncurrent environment of incident reporting and sharing. The Enterprise Operations organization\nwill initiate consolidation of media management into one organization to ensure consistency in\nmedia management and policy. The Modernization and Information Technology Services\norganization will ensure media management controls are in place to protect backup data from\nunauthorized access and disclosure. Management\xe2\x80\x99s complete response to the draft report is\nincluded as Appendix IV.\n\n\n\n4\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n\n\n\n\n                                                                                                          3\n\x0c                         Significant Improvements Have Been Made to\n                        Protect Sensitive Data on Laptop Computers and\n                            Other Portable Electronic Media Devices\n\n\nCopies of this report are also being sent to the IRS managers affected by the report\nrecommendations. Please contact me at (202) 622-6510 if you have questions or\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nTechnology Services), at (202) 622-8510.\n\n\n\n\n                                                                                           4\n\x0c                                    Significant Improvements Have Been Made to\n                                   Protect Sensitive Data on Laptop Computers and\n                                       Other Portable Electronic Media Devices\n\n\n\n\n                                             Table of Contents\n\nBackground ..........................................................................................................Page 1\n\nResults of Review ...............................................................................................Page 3\n          Actions Have Been Taken to Increase the Protection of\n          Sensitive Data ...............................................................................................Page 3\n          Although Controls Have Improved, Additional Steps Could\n          Be Taken to Expand the Reporting of Incidents and the Protection\n          of Sensitive Data ...........................................................................................Page 6\n                    Recommendations 1 and 2: ..............................................Page 11\n\n\nAppendices\n          Appendix I \xe2\x80\x93 Detailed Objectives, Scope, and Methodology.......................Page 12\n          Appendix II \xe2\x80\x93 Major Contributors to This Report ........................................Page 14\n          Appendix III \xe2\x80\x93 Report Distribution List .......................................................Page 15\n          Appendix IV \xe2\x80\x93 Management\xe2\x80\x99s Response to the Draft Report ......................Page 16\n\x0c         Significant Improvements Have Been Made to\n        Protect Sensitive Data on Laptop Computers and\n            Other Portable Electronic Media Devices\n\n\n\n\n                 Abbreviations\n\nCSIRC     Computer Security Incident Response Center\nIRS       Internal Revenue Service\nMOU       Memorandum of Understanding\nOI        Office of Investigations\nPIPDS     Office of Privacy, Information Protection, and Data Security\nTIGTA     Treasury Inspector General for Tax Administration\n\x0c                                Significant Improvements Have Been Made to\n                               Protect Sensitive Data on Laptop Computers and\n                                   Other Portable Electronic Media Devices\n\n\n\n\n                                              Background\n\nThe Internal Revenue Service (IRS) annually processes more than 220 million tax returns\ncontaining personal financial information and personally identifiable information such as Social\nSecurity Numbers. If lost or stolen, taxpayer data can be used for identity theft and other\nfraudulent purposes. Identity theft refers to a crime in which someone wrongfully obtains and\nuses another person\xe2\x80\x99s personal data in some way that involves fraud or deception, typically for\nfinancial or economic gain.\nMost IRS employees use taxpayer information within IRS facilities to carry out their\nresponsibilities; however, some employees are allowed to take electronic taxpayer data outside\nof the office for business purposes. For example, Revenue Agents may take electronic taxpayer\nrecords outside of IRS facilities when conducting reviews with business taxpayers. When\ntaxpayer information is taken outside of the office, additional security controls are required, such\nas:\n    \xe2\x80\xa2    Physically protecting computer devices \xe2\x80\x93 Employees in possession of computer devices\n         must adhere to specific security policies and handling procedures to minimize the chance\n         of loss or theft of the device. For example, when transporting a laptop computer in a\n         vehicle, an employee should store the computer in the vehicle\xe2\x80\x99s trunk or in a place that is\n         not visible from outside of the vehicle.\n    \xe2\x80\xa2    Encrypting1 taxpayer data on computer devices \xe2\x80\x93 Even if a computer device is lost or\n         stolen, the data are still protected if they were encrypted. Encryption ensures that no one\n         other than the authorized user can access and view the data maintained on the computer\n         device.\n    \xe2\x80\xa2    Using software controls to limit access to computers \xe2\x80\x93 If a computer is lost or stolen, the\n         data can still be protected, to some degree, by requiring the user to enter a valid username\n         and corresponding password during the computer startup process.2 However, this control\n         can sometimes be bypassed if the computer is not properly configured.\n\n\n\n\n1\n  Encryption is a method to convert readable text (i.e., plaintext) to unreadable text (i.e., ciphertext) by applying\nmathematical algorithms and one or more encryption keys. This is generally performed to protect the\nconfidentiality, integrity, and authenticity of data during storage or transmission.\n2\n  This process represents a computer\xe2\x80\x99s internal process of starting up when it is powered up. The process involves\nthe execution of preset instructions located on the computer\xe2\x80\x99s hard drive, including startup of security features of the\ncomputer, such as password protection.\n                                                                                                                Page 1\n\x0c                                Significant Improvements Have Been Made to\n                               Protect Sensitive Data on Laptop Computers and\n                                   Other Portable Electronic Media Devices\n\n\n\n    \xe2\x80\xa2    Reporting incidents \xe2\x80\x93 Any employee who loses a computer must follow specific reporting\n         instructions to ensure the proper authorities are notified. Actions should then be taken to\n         disable user accounts and determine whether taxpayer data have been compromised.\nIn addition, data that are backed up and stored offsite so that operations can be restored in the\nevent of a disaster may also be at risk.3 If the backup location is not within the organization\xe2\x80\x99s\ncontrol (e.g., a contractor\xe2\x80\x99s site), security policies and procedures must be implemented to ensure\nadequate data accountability and protection from unauthorized access.\nSince 2003, we have conducted at least three reviews that included assessing controls over\nsensitive data on laptop computers and other portable electronic media. These reviews found\ninternal control weaknesses in the IRS\xe2\x80\x99 safeguarding of taxpayer data.4\nThis review was performed at IRS offices in Jacksonville, Florida; New Carrollton, Maryland;\nOklahoma City, Oklahoma; and Memphis, Tennessee, during the period September 2008 through\nApril 2009. We conducted this performance audit in accordance with generally accepted\ngovernment auditing standards. Those standards require that we plan and perform the audit to\nobtain sufficient, appropriate evidence to provide a reasonable basis for our findings and\nconclusions based on our audit objectives. We believe that the evidence obtained provides a\nreasonable basis for our findings and conclusions based on our audit objectives. Detailed\ninformation on our audit objectives, scope, and methodology is presented in Appendix I. Major\ncontributors to the report are listed in Appendix II.\n\n\n\n\n3\n  In the event of a disaster, it is possible that all data maintained at a facility where the disaster occurred could be\ndestroyed. For example, a building fire might destroy all data stored at the facility. An organization can reduce this\nrisk by maintaining backup data at a different facility.\n4\n  The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other\nPortable Electronic Media Devices (Reference Number 2007-20-048, dated March 23, 2007); Secure\nConfigurations Are Initially Established on Employee Computers, but Enhancements Could Ensure Security Is\nStrengthened After Implementation (Reference Number 2006-20-031, dated February 22, 2006); and Security Over\nComputers Used in Telecommuting Needs to Be Strengthened (Reference Number 2003-20-118, dated July 1, 2003).\n                                                                                                               Page 2\n\x0c                             Significant Improvements Have Been Made to\n                            Protect Sensitive Data on Laptop Computers and\n                                Other Portable Electronic Media Devices\n\n\n\n\n                                    Results of Review\n\nActions Have Been Taken to Increase the Protection of Sensitive Data\nIn March 2007, we reported5 that sensitive data were not encrypted on laptop computers and\nother electronic media and that access controls were incorrectly configured and could be\ncircumvented to gain access to unencrypted sensitive data. In addition, we reported that physical\nsecurity was not adequate over computer equipment. We found that laptop computers\noverwhelmingly represented the largest category of lost or stolen items each year, and employees\nwho were negligent for the losses or thefts were rarely disciplined. These deficiencies made the\nIRS vulnerable to unauthorized disclosure of taxpayer data and loss of personally identifiable\ninformation, both of which can be used for identity theft purposes. The IRS implemented the\nrecommendations from this prior report, resulting in increased protection of sensitive data.\nIn addition, one of the recommendations from our prior report dealt with implementing a\nsystemic disk encryption solution on laptop computers. This solution, also known as hard disk\nencryption, encrypts the entire hard drive and requires access authentication whenever the laptop\ncomputer is operational. The IRS agreed with the recommendation and replied that it would\nimplement an enterprise-wide hard disk encryption solution for its laptop computers.\nDuring this review, the IRS provided us with documentation reflecting that 99 percent of its\nlaptop computers contained the hard drive encryption program. During our review of 100 laptop\ncomputers in 4 IRS offices, we confirmed that all 100 laptop computers had the hard disk\nencryption software installed and that the software was functioning as intended. This solution\ndramatically improved the protection of sensitive data on laptop computers and resolved the\naccess control deficiencies cited in our prior report. Only after a successful logon to the\nencryption software will the computer start the logon process to access other system files.\nConsequently, any sensitive data on the computer remains encrypted until a user has successfully\nlogged on and deactivated the encryption.\nBecause files on the hard drive are no longer encrypted after a laptop computer has been turned\non, the IRS still requires employees to encrypt sensitive files on a laptop computer using the\nMicrosoft Windows Operating System encryption program, also known as the Encrypting File\n\n\n\n\n5\n The Internal Revenue Service Is Not Adequately Protecting Taxpayer Data on Laptop Computers and Other\nPortable Electronic Media Devices (Reference Number 2007-20-048, dated March 23, 2007).\n                                                                                                     Page 3\n\x0c                               Significant Improvements Have Been Made to\n                              Protect Sensitive Data on Laptop Computers and\n                                  Other Portable Electronic Media Devices\n\n\n\nSystem.6 During this review, we found that 23 of 100 laptop computers had unencrypted\nsensitive files that could be accessed by anyone who logged on to the laptop computer after the\nhard disk encryption had been deactivated. These files represent taxpayer data, such as Social\nSecurity Numbers or Taxpayer Identification Numbers on various tax forms, as well as\npersonally identifiable data of the employee. While these results represent an improvement over\nour prior audit results where 44 of the 100 laptops tested were noncompliant, the IRS should\nremain diligent in reinforcing use of its encryption technologies through its annual security\ntraining and periodic reminders to employees. We believe the risk of this issue is lessened by the\nhard drive encryption previously discussed, which protects all files when the laptop computer is\nturned off.\nIn addition to the hard disk encryption, the IRS has implemented an encryption solution over\ndata that are transferred to an external media outlet, such as a removable media storage device or\ncomputer disk. We confirmed that the encryption solution was installed on all 100 laptop\ncomputers we reviewed. These systemic encryption solutions have strengthened the protection\nof taxpayer data and personally identifiable information at the IRS, and the encryption solutions\nhave reduced the chance of unauthorized disclosure of sensitive data when portable electronic\nmedia devices are lost or stolen.\nThe IRS has also taken actions to assist employees with securing laptop computers and sensitive\ndata. One of the recommendations in our prior report dealt with the purchase of cable locks for\ncomputers and providing employees with related security awareness training. The IRS\ncompleted these corrective actions. During our review of the 100 laptop computers, we found\nthat 99 employees used cable locks to secure their laptop computers and 96 employees had\nreceived training or instructions on how to secure laptops, use encryption, and report lost or\nstolen laptops.\nIRS employees reported a total of 866 incidents during the period June 14, 2006, to\nSeptember 17, 2008. We categorized the 866 incidents by item type and found that laptop\ncomputers continued to represent the largest number of incidents (270 incidents) of lost or stolen\nitems. Laptop computers are attractive targets for thieves. No organization is impervious to\ntheft or loss of devices containing sensitive data, especially an organization as large as the IRS,\nwith approximately 100,000 employees and more than 40,000 laptop computers. The IRS has\ninformed employees of their responsibilities for securing sensitive data and the penalties\nassociated with negligence.7 In April 2008, the IRS implemented procedures for tracking\nemployee negligence cases to ensure that all are consistently processed and appropriate penalties\n\n\n6\n  Under the Encrypting File System, laptop computers are configured to encrypt data residing in specific file folders\non the hard drive. Employees need only to save sensitive files to these file folders and the computer will\nautomatically encrypt the files.\n7\n  Negligence is the failure to exercise that degree of care that would have been exercised by a reasonable person\nunder the same circumstances.\n                                                                                                             Page 4\n\x0c                             Significant Improvements Have Been Made to\n                            Protect Sensitive Data on Laptop Computers and\n                                Other Portable Electronic Media Devices\n\n\n\nare applied. During this review, we determined that 152 of the 866 incidents involved employee\nnegligence and could have been prevented if the employees had followed IRS policies and\nprocedures. Nineteen of the 152 incidents occurred since April 2008. We reviewed these\n19 incidents to determine whether the new disciplinary processes were effective. We were\nencouraged to find that 17 of the 19 incidents were being processed in accordance with the newly\nimplemented procedures. However, most of these incidents were still under investigation during\nthe time of our review, and we were unable to make a reliable evaluation on the effectiveness of\nthe new procedures.\nThe number of reported incidents relating to lost or stolen media potentially containing sensitive\ntaxpayer and employee data continued to increase from Calendar Year 2003 to Calendar\nYear 2008, as illustrated by Figure 1.\n                     Figure 1: Number of Incidents of Theft or Loss\n                 of Computer Equipment and/or Taxpayer Data Per Year\n\n\n       600\n                                                                                    456\n       500\n                                                                       364\n\n       400\n                                                         245\n       300\n                                           134\n                               96\n       200        76\n\n       100\n\n\n         0\n                2003          2004         2005         2006          2007          2008\n                                                                                (projected)*\n\n\n * We obtained incidents through September 17, 2008, and made a projection through the end of Calendar\n Year 2008 using a direct proportional ratio.\n Source: Our analysis and projection based on IRS Computer Security Incident Response Center and\n Treasury Inspector General for Tax Administration Office of Investigations data.\n\nWe believe this upward trend is due, in part, to the increased reporting of incidents by IRS\nemployees. Based on recommendations from our prior report, the IRS implemented a\ncomprehensive training strategy that instructed employees on the process for reporting lost or\n\n                                                                                                         Page 5\n\x0c                              Significant Improvements Have Been Made to\n                             Protect Sensitive Data on Laptop Computers and\n                                 Other Portable Electronic Media Devices\n\n\n\nstolen items. In Calendar Year 2006, the IRS provided additional guidance to employees to\nreport lost or stolen sensitive data within 1 hour of the incident, in compliance with new Federal\nGovernment reporting requirements. As a result of the 1-hour reporting rule, we noted that\ncurrent statistics likely included incident reports of lost or stolen items that were subsequently\nrecovered. Employees may not have reported these incidents under previous reporting\nguidelines.\nAccording to a Calendar Year 2008 survey by the Computer Security Institute,8 theft of laptops\nor other mobile devices was the third most frequently occurring incident (42 percent) at\nrespondents\xe2\x80\x99 organizations. In addition, the survey found that the cost of the loss of customer or\nemployee confidential data averaged $268,000 per incident. Therefore, the loss of a laptop\ncomputer may be quite expensive if it contains unencrypted sensitive data. Replacing lost or\nstolen laptops that were encrypted generally does not cost more than the replacement and\nassociated administrative costs. While we have some concerns with the upward trend of overall\nincidents, we believe the IRS has effectively mitigated much of the risk of unauthorized\ndisclosure of sensitive data by systemically encrypting the data on laptop computers and other\nelectronic devices.\n\nAlthough Controls Have Improved, Additional Steps Could Be Taken\nto Expand the Reporting of Incidents and the Protection of Sensitive\nData\nWhile the IRS has made significant improvements relating to controls over electronic media and\nthe protection of sensitive data, continued diligence is necessary to ensure taxpayer data are fully\nprotected. We identified two areas where the IRS could take actions to improve the protection of\nsensitive data. First, processes for tracking reported security incidents between organizations\nneed improvement to ensure that all affected organizations receive and exchange information\nrelated to the incident in a timely manner. Second, the IRS needs to enforce controls for\nprotecting backup data from unauthorized disclosure and ensuring its availability in the event of\na disaster. As a result of deficiencies in these areas, taxpayers may not be notified when security\nincidents involving their personal data have occurred and taxpayer data may be at risk of theft\nand unauthorized disclosure.\n\n\n\n\n8\n  The 2008 CSI Computer Crime and Security Survey, by Robert Richardson, Director of Computer Security\nInstitute, was based on the responses of more than 500 computer security practitioners from government and private\ninstitutions. According to the survey, virus incidents occurred most frequently (49 percent) at respondents\xe2\x80\x99\norganizations in 2008. Insider abuse of networks was the second-most frequently occurring incident (44 percent).\n                                                                                                          Page 6\n\x0c                           Significant Improvements Have Been Made to\n                          Protect Sensitive Data on Laptop Computers and\n                              Other Portable Electronic Media Devices\n\n\n\nIncident reporting controls could be enhanced to ensure better tracking and\nprocessing of incidents\nThe Office of Management and Budget requires Federal Government agencies to report all\nincidents involving personally identifiable information, in electronic or hard copy form, to the\nUnited States Computer Emergency Readiness Team within 1 hour of discovering the incident,\nwithout taking the time to distinguish between suspected and confirmed security breaches. In\norder to comply with Federal regulations, IRS employees are required to report security incidents\nimmediately upon identification, not to exceed 1 hour, to 1) the employee\xe2\x80\x99s immediate manager,\n2) the IRS Computer Security Incident Response Center (CSIRC), and 3) the Treasury Inspector\nGeneral for Tax Administration (TIGTA) Office of Investigations (OI). The CSIRC is\nresponsible for reporting the incidents to the Treasury Computer Security Incident Response\nCenter, which serves as the central point of contact for escalating incidents reported by its\nbureaus to the United States Computer Emergency Readiness Team, meeting the stringent\nreporting time periods set by the Office of Management and Budget.\nThe CSIRC is also responsible for directing incidents involving potential loss of personally\nidentifiable information to the IRS Office of Privacy, Information Protection, and Data\nSecurity (PIPDS). Lost or compromised personally identifiable information may be used to\nperpetrate identity theft or other forms of fraud if the information falls into unauthorized hands.\nPersonally identifiable information is information in either electronic or hard copy format that\ncan be used to distinguish or trace an individual\xe2\x80\x99s identity, such as an individual\xe2\x80\x99s name, Social\nSecurity Number, Individual Taxpayer Identification Number, or address.\nThe PIPDS manages the process within the IRS to notify individuals who are at high risk of\nharm following a loss of personally identifiable information. The affected individuals are\nnotified without unreasonable delay following a risk assessment of the incident. The IRS sends a\nconcise notification to affected individuals, which includes free credit monitoring services for\n1 year and other useful information and contacts to assist the taxpayer in protecting themselves\nfrom harm. For example, from October 1, 2006, to September 17, 2008, the PIPDS identified\n132 incidents for which the risk of identify theft or other harm was likely, and sent notification\nletters to 17,498 potentially affected taxpayers.\nThe TIGTA OI is responsible for investigating all incidents to determine whether employee\nnegligence was involved and, if found, to provide a report to the IRS Human Capital Office.\nBased on the OI report and the pertinent facts of the case, the Human Capital Office works with\nthe employee\xe2\x80\x99s respective manager to determine the appropriate penalty. It also tracks the\ndisciplinary actions taken against negligent employees.\nDuring our prior review, we identified inadequate coordination between the IRS CSIRC and the\nTIGTA OI to ensure proper reporting of security incidents. We found that IRS employees did\nnot consistently report security incidents to both the CSIRC and the OI as required by IRS\npolicy. As a result, of the 387 incidents that occurred from January 2, 2003, to June 13, 2006,\n\n                                                                                              Page 7\n\x0c                              Significant Improvements Have Been Made to\n                             Protect Sensitive Data on Laptop Computers and\n                                 Other Portable Electronic Media Devices\n\n\n\nthe CSIRC was aware of 91 (24 percent) incidents and the OI was aware of 296 (76 percent)\nincidents. Of the incidents that each organization was aware of, the CSIRC shared 42 incidents\nwith the OI, and the OI did not share any incidents with the CSIRC.\nTo correct this condition, the CSIRC and the OI entered into a Memorandum of\nUnderstanding (MOU), effective December 28, 2006, that defined their joint responsibilities for\ntracking and sharing computer security incidents involving the loss or theft of information\ntechnology assets.9 Each organization was to monitor reported incidents in separate tracking\nsystems, assign case numbers, provide automated notification of received incident reports to the\nother organization, and perform monthly reconciliations of the incident reports received to\nensure all incidents were properly documented.\nOur current review found that the number of reported incidents known by both the CSIRC and\nthe OI significantly increased. From January 1, 2007, to September 17, 2008, 535 incidents\noccurred that were required to be shared under the MOU. Of the 535 incidents, the CSIRC was\naware of 515 (96 percent) and the OI was aware of 514 (96 percent). We attribute this\nsignificant improvement to the IRS informing employees of their responsibilities for reporting\nincidents and to the CSIRC and OI implementation of automated notification of received\nincidents to each other in accordance with the MOU.\nHowever, we believe additional improvements are needed to ensure all incidents are known by\nboth the CSIRC and the OI so that all incidents are properly addressed. Of the 535 incidents, the\nOI was unaware of 21 incidents that were in the CSIRC tracking system. The OI determined that\nthe CSIRC had not sent automated notification for 7 of these 21 incidents, and that the OI had\nnot captured 14 incidents that the CSIRC had sent. Incidents that are not captured by the OI may\nnot be evaluated for employee negligence or investigative purposes.\nOf the 535 incidents, the CSIRC was unaware of 20 incidents that were in the OI tracking\nsystem. The CSIRC determined that the OI had not sent automated notification for 18 of these\n20 incidents, and the CSIRC had not captured 2 incidents that the OI had sent. Incidents that\nwere not captured by the CSIRC may not meet reporting deadlines or may not be routed to the\nPIPDS for determination of whether taxpayers should be notified.\nThe MOU required the CSIRC and the OI to collaboratively perform reconciliations of their\nseparate tracking systems to ensure that all incidents had been captured by both organizations.\nHowever, neither the CSIRC nor the OI were performing such reconciliations to identify\nincidents that had not been shared. During our review, we found that the two tracking systems\ndo not have a common case identifier, making it very difficult and tedious to perform a\nreconciliation. The CSIRC assigns a unique case identifier to each incident it receives, and the\nOI assigns a complaint number. The CSIRC modified its tracking system to capture the OI\n\n9\n Information technology assets include desktop computers, laptop computers, servers, Blackberries, CD/DVD, flash\ndrives, floppy discs, and other portable media.\n                                                                                                        Page 8\n\x0c                           Significant Improvements Have Been Made to\n                          Protect Sensitive Data on Laptop Computers and\n                              Other Portable Electronic Media Devices\n\n\n\ncomplaint number when inputting cases sent by the OI. However, differences in the case data\nthat the CSIRC and the OI record and timing differences for when automated notifications are\nsent and when case and complaint numbers are assigned, make it difficult to match cases in the\ntwo tracking systems and to reconcile differences.\nIn addition, the MOU required sharing only the loss or theft of information technology assets,\nwhich left some important incidents unshared. For example, we identified 85 incidents involving\nthe loss of taxpayer data in hard copy format that occurred during the period the MOU was in\neffect and, therefore, were not required to be shared between the CSIRC and the OI. Of these\n85 incidents, the CSIRC tracking system contained 63 incidents that were not in the OI tracking\nsystem, and the OI tracking system contained 22 incidents that were not in the CSIRC tracking\nsystem. Therefore, these 22 incidents were not sent to the PIPDS for review to determine\nwhether taxpayers should be notified. In general, the loss of hard copies that contain taxpayer\ndata are of higher risk than the loss of computer equipment because hard copies are not\nencrypted. The PIPDS must also ensure taxpayers are timely informed and offered assistance in\nthese instances.\nContinued efforts are needed to ensure that all security incidents are captured by both\norganizations to properly address and reconcile incident reporting. Limiting the type of incidents\nto share and not reconciling all incidents known by each organization may prevent the IRS from\nmeeting incident reporting time periods, fulfilling taxpayer notification requirements, and\napplying consistent disciplinary actions for employee negligence.\nManagement Actions: Subsequent to completion of our fieldwork, the IRS CSIRC and the\nTIGTA OI met to collaborate on a solution and agreed that the MOU needed revision to better\nrepresent the current environment of incident reporting. Possible revisions include developing a\nbetter definition of what constitutes personally identifiable information (i.e., inclusion of hard\ncopy records) and enhancing the reporting process by using a common identifier to ensure\ntransparent reporting. The discussion included consideration of designating the CSIRC as the\ncentral point of contact in order to reduce employee burden for making three contacts when an\nincident occurs, and to better ensure the CSIRC can fulfill the 1-hour reporting requirement.\n\nControls over backup data have improved but require additional enhancements to\nfully protect taxpayer data\nThe IRS requires that data at each of its offices be backed up to facilitate business resumption\nefforts in the event of a disaster. This backup data should be stored offsite to ensure its\navailability and be encrypted to protect against unauthorized disclosure. To further protect this\nbackup data, the IRS requires that all IRS offices conduct an annual inventory of their backup\ndata to guarantee all data are properly accounted for and to periodically validate the list of\nemployees who are authorized to access the backup data at offsite storage facilities to ensure its\nprotection.\n\n                                                                                             Page 9\n\x0c                             Significant Improvements Have Been Made to\n                            Protect Sensitive Data on Laptop Computers and\n                                Other Portable Electronic Media Devices\n\n\n\nDuring our prior review, the IRS was not encrypting backup data that were sent to offsite storage\nfacilities. In addition, the IRS was not performing annual inventory validations of the backup\ndata and was not always performing periodic reviews of the approved access list of employees\nauthorized to access the offsite storage facilities. We recommended that the IRS encrypt backup\ndata prior to it being sent offsite and conduct the annual inventory validations and verifications\nof employees on access lists as required. The IRS agreed with our recommendations.\nDuring this review, we found that the IRS revised its processes and procedures and no longer\nrequired some offices to send their backup data to offsite facilities. The new procedures require\nfield offices to electronically transmit their backup data through a secured network to one of\nthree IRS Computing Centers.10 The Computing Centers then encrypt the backup data prior to\nsending the data to offsite storage facilities. We confirmed that the two field offices we visited\nhad implemented the new procedures to transmit their backup data through the IRS secured\nnetwork to the Computing Center, where they were encrypted before being sent to offsite\nstorage.\nTo follow up on the backup issues at offsite facilities, we visited one of the three IRS Computing\nCenters charged with controlling IRS backup data. We confirmed that the data were encrypted\nprior to being sent to offsite storage. However, the IRS did not conduct the annual inventory\nvalidation of the backup data at the offsite facility. We selected 30 computer tapes from the\ninventory listing and physically accounted for all of the tapes. In addition, the IRS had not\nvalidated the access list of IRS employees authorized to access the backup data at the offsite\nfacility since December 2007. As a result, we identified 15 individuals on the access list who no\nlonger had a business need to have access to the backup data at the offsite facility.\nLastly, the one headquarters office we visited was not sending its backup data offsite or securing\nit as required. The data were being maintained onsite, leaving them vulnerable to the same\ndisaster that potentially could disable the headquarters office. While this issue did not\nspecifically involve the protection of backup data from unauthorized individuals, it could\npotentially affect the availability of the data if a disaster occurs at that headquarters office.\nThe IRS indicated these weaknesses were caused by management turnover (including retirement,\nreassignment, and promotion of managers) and a lack of management oversight over backup\nprocedures. These backup data inventory and access weaknesses increase the risk that sensitive\ndata, including personally identifiable information, could be lost or stolen from offsite storage\nfacilities. In addition, not storing backup data securely or at an alternative location puts the data\nat risk of being permanently destroyed in the event of a disaster.\n\n\n\n\n10\n   IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                     Page 10\n\x0c                           Significant Improvements Have Been Made to\n                          Protect Sensitive Data on Laptop Computers and\n                              Other Portable Electronic Media Devices\n\n\n\nRecommendations\nThe Chief Technology Officer should ensure that:\nRecommendation 1: The IRS collaborates with the TIGTA to revise the MOU to ensure that\nall incidents involving personally identifiable information in electronic or hard copy form are\nproperly reported and shared between the IRS CSIRC and the TIGTA OI.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. The IRS\n       CSIRC will collaborate with the TIGTA OI, the PIPDS, and the IRS Office of Disclosure\n       to revise the MOU to better represent the current environment of incident reporting and\n       sharing.\nRecommendation 2: All backup data are properly protected from unauthorized access and\ndisclosure. Specifically, IRS offices should 1) follow policies and procedures for sending\nbackup data to designated locations, 2) conduct annual inventory reconciliations of stored\nbackup media at all offsite storage facilities in accordance with IRS policy, and 3) validate lists\nof IRS employees authorized to access the backup data at offsite storage facilities when changes\noccur or at least annually.\n       Management\xe2\x80\x99s Response: The IRS agreed with this recommendation. To ensure\n       consistency in media management policies and procedures, the Enterprise Operations\n       organization will initiate consolidation of media management into one organization. The\n       Modernization and Information Technology Services organization will also ensure\n       backup media is properly protected from unauthorized access and disclosure by ensuring\n       media management controls and encryption are in place. In addition, the Modernization\n       and Information Technology Services organization will follow policies and procedures\n       for sending and maintaining backup data to designated offsite storage facilities and will\n       schedule and conduct regular offsite storage facility reconciliations as documented in IRS\n       procedures and validate the authorized access list on an annual basis.\n\n\n\n\n                                                                                            Page 11\n\x0c                                Significant Improvements Have Been Made to\n                               Protect Sensitive Data on Laptop Computers and\n                                   Other Portable Electronic Media Devices\n\n\n\n                                                                                                     Appendix I\n\n         Detailed Objectives, Scope, and Methodology\n\nThe overall objective of this review was to determine whether the IRS is adequately protecting\nsensitive data on laptop computers and other portable electronic media devices. The audit\nfocused on the security of laptop computers and the encryption1 of sensitive data maintained on\nlaptop computers. We also evaluated the controls over incident reporting and the storage\nmethods for backup tapes at non-IRS offsite facilities.\nTo accomplish our objectives, we:\nI.       Determined the effectiveness of procedures and controls implemented to protect sensitive\n         data on laptop computers and other portable electronic media.\n         A. Analyzed the reporting of 866 incidents involving the loss or theft of electronic\n            devices or hard copy documents from June 14, 2006, to September 17, 2008, received\n            from the IRS CSIRC2 and the TIGTA OI.3 For each incident, we:\n             1. Identified how the incident occurred and determined whether the laptop contained\n                sensitive information based on the information provided.\n             2. Determined whether the incident was reported to the CSIRC and the OI.\n         B. Selected a judgmental sample of 100 laptop computers from 4 IRS Area Offices. The\n            four sites visited were Oklahoma City, Oklahoma; Jacksonville, Florida; Memphis\n            Computing Center, Memphis, Tennessee; and New Carrollton, Maryland. We used a\n            judgmental sample because we were not projecting the review results.\n         C. At the four sites, we:\n             1. Interviewed the 100 employees to which the sample of 100 computers were\n                assigned to determine whether employees used cable locks to protect their\n\n\n1\n  Encryption is a method to convert readable text (i.e., plaintext) to unreadable text (i.e., ciphertext) by applying\nmathematical algorithms and one or more encryption keys. This is generally performed to protect the\nconfidentiality, integrity, and authenticity of data during storage or transmission.\n2\n  The CSIRC is responsible for ensuring security incidents are reported to the United States Computer Emergency\nResponse Team, in compliance with stringent time periods and for funneling incidents involving potential loss of\npersonally identifiable information to the IRS PIPDS for a determination of whether taxpayers must be contacted\nregarding compromised data.\n3\n  The OI is responsible for investigating all incidents to determine if employee negligence was involved and, if\nfound, to provide a report to the IRS Human Capital Office.\n                                                                                                              Page 12\n\x0c                                Significant Improvements Have Been Made to\n                               Protect Sensitive Data on Laptop Computers and\n                                   Other Portable Electronic Media Devices\n\n\n\n                  computers and whether they recalled receiving encryption and incident reporting\n                  training.\n             2. Determined whether taxpayer information stored on laptop computers was\n                unencrypted by analyzing the hard drives on the 100 laptop computers.\n             3. Evaluated the controls over the protection of the startup process4 on the sample of\n                100 laptop computers.\nII.      Determined the effectiveness of procedures and controls implemented to protect sensitive\n         data on media such as backup media.\n         A. Assessed the security and encryption placed on backup media that are to be stored at\n            a non-IRS offsite facility.\n         B. Assessed the adequacy of the physical security controls where the media were stored.\n         C. Reconciled the list of backup media to assess the accuracy and completeness of the\n            written inventory.\n         D. Judgmentally selected 30 computer tapes from the inventory listing at 1 IRS\n            Computing Center5 and physically accounted for all of the tapes. We used a\n            judgmental sample because we were not projecting the results of the review and were\n            unable to readily determine the total number of computer tapes stored at the facility.\n         E. Validated the list of IRS employees authorized to access the facility and the data.\n\n\n\n\n4\n  This process represents a computer\xe2\x80\x99s internal process of starting up when it is powered up. The process involves\nthe execution of preset instructions located on the computer\xe2\x80\x99s hard drive, including startup of security features of the\ncomputer, such as password protection.\n5\n  IRS Computing Centers support tax processing and information management through a data processing and\ntelecommunications infrastructure.\n                                                                                                              Page 13\n\x0c                         Significant Improvements Have Been Made to\n                        Protect Sensitive Data on Laptop Computers and\n                            Other Portable Electronic Media Devices\n\n\n\n                                                                               Appendix II\n\n                 Major Contributors to This Report\n\nMargaret E. Begg, Acting Assistant Inspector General for Audit (Security and Information\nSystems Technology Services)\nKent Sagara, Acting Director\nJody Kitazono, Acting Audit Manager\nAlan Beber, Senior Auditor\nCharles Ekunwe, Senior Auditor\nGeorge Franklin, Senior Auditor\nBret Hunter, Senior Auditor\nLouis Lee, Senior Auditor\nMidori Ohno, Senior Auditor\nLinda Screws, Senior Auditor\nLouis Zullo, Senior Auditor\n\n\n\n\n                                                                                       Page 14\n\x0c                        Significant Improvements Have Been Made to\n                       Protect Sensitive Data on Laptop Computers and\n                           Other Portable Electronic Media Devices\n\n\n\n                                                                       Appendix III\n\n                         Report Distribution List\n\nCommissioner C\nOffice of the Commissioner \xe2\x80\x93 Attn: Chief of Staff C\nDeputy Commissioner for Operations Support OS\nChief Information Officer OS:CTO\nAssociate Chief Information Officer, Cybersecurity OS:CTO:C\nAssociate Chief Information Officer, Enterprise Operations OS:CTO:EO\nDirector, Cybersecurity Programs and Policies OS:CTO:C:PP\nChief Counsel CC\nNational Taxpayer Advocate TA\nDirector, Office of Legislative Affairs CL:LA\nDirector, Office of Program Evaluation and Risk Analysis RAS:O\nOffice of Internal Control OS:CFO:CPIC:IC\nAudit Liaisons:\n       Chief Technology Officer OS:CTO\n       Associate Chief Information Officer, Cybersecurity OS:CTO:C\n\n\n\n\n                                                                             Page 15\n\x0c         Significant Improvements Have Been Made to\n        Protect Sensitive Data on Laptop Computers and\n            Other Portable Electronic Media Devices\n\n\n\n                                                 Appendix IV\n\nManagement\xe2\x80\x99s Response to the Draft Report\n\n\n\n\n                                                         Page 16\n\x0c Significant Improvements Have Been Made to\nProtect Sensitive Data on Laptop Computers and\n    Other Portable Electronic Media Devices\n\n\n\n\n                                                 Page 17\n\x0c Significant Improvements Have Been Made to\nProtect Sensitive Data on Laptop Computers and\n    Other Portable Electronic Media Devices\n\n\n\n\n                                                 Page 18\n\x0c'